-
CyberSeal -
the seal of qualityThe CyberSeal confirms that an IT service provider implements appropriate technical and organizational measures to guarantee its customers adequate protection against cyber risks. The CyberSeal contributes to increasing the cyber resilience of Swiss SMEs.
Who is the Swiss CyberSeal for?
IT service providers with their registered office and customer base in Switzerland can receive the CyberSeal if they assume overall or partial responsibility for the setup and operation of IT and/or configure and provide cloud solutions (e.g., Microsoft 365) on behalf of SME customers.
Added value for the IT service provider
Reduction of implementation, operational and security risks
Cybercrime awareness and establishment of a common language
Fulfillment of minimum IT security requirements creates trust
Better market position and advantages in insurance contracts
Added value for the end customer
Reduction of risks regarding cyberattacks
Fewer incidents, faster remediation and lower costs in the event of an incident
Independent quality seal simplifies the choice of IT service provider
Stronger focus on core business
CyberSeal - Contents of the standard
IT service providers have a direct impact on the cyber resilience of SMEs. It is therefore imperative that IT service providers can demonstrate basic competencies in the following areas:
-
Organization: e.g. Documentation, Aufgabenteilung, Ausbildung
-
Technology: e.g. data protection, authorizations, backup
-
Processes: e.g. Change und incident management, monitoring
The detailed audit checkpoints and processes are based on the valid CyberSeal Audit Manual of the Alliance Digital Security Switzerland (German and French only).
The CyberSeal auditing-process
The process runs through a three-year cycle. A comprehensive CyberSeal audit is carried out in year one. In years two and three, a maintenance audit is carried out for quality control purposes. In year four, the process is repeated again with a comprehensive audit.
(1) Interest
In case of interest, the IT service provider registers by means of a form. He receives the current CyberSeal checklist. An appointment for the audit is arranged.
(2) Self-declaration
He will be asked to complete and submit a self-declaration for each item on that checklist, as appropriate.
(3) Audit
The auditor checks the check points in the interview and at the console (in-depth on-site inspection). The auditor will only address self-declation questions if clarification is required.
(4) Feedback
If no major deviations have occurred, the CyberSeal Seal of approval is handed over together with the audit report.
(5) Implementation
Measures to eliminate deviations and to process indications shall be implemented within one year. This is checked in the maintenance audit.
(6) Maintenance
In years two and three after the audit, a maintenance audit is performed by self-declaration. The checklist is to be submitted updated. The auditor reviews the information and discusses any changes to the standard by telephone.
CyberSeal Audit Manual
The CyberSeal audit requirements are reviewed annually and compared with the new threat situation. The manual describes the application of the CyberSeal checklist, the terms used and the audit process. It also explains the requirements and how to deal with possible deviations.
CyberSeal Checklist
The CyberSeal checklist defines the requirements for the IT service provider and is the defined standard for the seal of approval. The precise specifications are intended to promote the uniformity of the audit. For the self-declaration, the IT service provider is provided with the current checklist, which is divided into 26 chapters.
CyberSeal Audit Report
The IT service provider receives this report after the audit. The report describes the results of the passed or failed audit. The report shows major and minor deviations as well as tips and recommendations for improving cybersecurity.
Dealing with deviations, indications and recommendations
Major Deviation: no CyberSeal
A major deviation exists if a requirement is not fulfilled for an item on the checklist that is marked with priority 1.
Dealing with major deviations
The IT service provider has 3 months to rectify the major non-conformity. At the end of this period, the auditor assesses the rectification. An additional fee of CHF 600 is charged for this review. If the main non-conformity is not remedied sufficiently, no CyberSeal is issued and the process must be restarted.
Minor Deviation
If a requirement is only partially fulfilled for an item on the checklist with priority 1, this results in a minor deviation.
Dealing with minor deviations
The minor deviation must be dealt with by the IT service provider by the next maintenance audit. The deviation is then reviewed. A clearly recognizable improvement must have been implemented. Incomplete fulfillment of the requirement can be declared again as a minor deviation for the next audit / maintenance audit.
Notes and Recommendatoins
Notes are findings by the auditor that can improve the cyber security of the IT service provider and its customers.
The IT service provider itself decides whether and how the notes are implemented. The auditor will discuss the implementation of the notes as part of the next maintenance audit.
The Costs
The CyberSeal quality seal is valid for 3 years. The first year includes a full audit worth CHF 3,700, the second and third years include an annual maintenance audit worth CHF 600 each.
CyberSeal Audit
Certified IT-Service Provider
Maintenance Audit
- Telephone call in years two and three for the maintenance audit
- One-hour discussion (online or by phone) of progress based on self-declaration and current threats
- Update regarding current cyber risks
- Review of self-declaration